Related Documentation
- J Series
- Example: Enabling IDP in a Security Policy
- Example: Defining Rules for an IDP IPS Rulebase
- SRX Series
- Understanding DSCP Rules in IDP Policies
- Example: Enabling IDP in a Security Policy
- Example: Defining Rules for an IDP IPS Rulebase
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices

Example: Configuring DSCP Rules in an IDP Policy
This example shows how to configure DSCP values in an IDP policy.
Requirements
Before you begin:
- Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices
. - Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
- Create security zones. See Example: Creating Security Zones.
- Define rules. See Example: Inserting a Rule in the IDP Rulebase .
Overview
Configuring DSCP values in IDP policies provides a method of associating CoS values—thus different levels of reliability—for different types of traffic on the network.
This example shows how to create a policy called policy1, specify a rulebase for this policy, and then add rule R1 to this rulebase. In this example, rule R1:
- Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group called HTTP - Critical. The application setting in the match condition is specified as the default and matches any application configured in the attack object.
- Specifies an action to rewrite the CoS field in the IP header with the DSCP value 50 for any traffic that matches the criteria for rule R1.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide
.
To configure DSCP values in an IDP policy:
- Create a policy by assigning a meaningful name to it. [edit]user@host# edit security idp idp-policy base-policy
- Associate a rulebase with the policy. [edit security idp idp-policy base-policy]user@host# edit rulebase-ips
- Add rules to the rulebase[edit security idp idp-policy base-policy rulebase-ips]user@host# edit rule R1
- Define the match criteria for the rule.[edit security idp idp-policy base-policy rulebase-ips R1]user@host# set match from-zone trust to-zone untrust source-address any destination-address any application default
user@host# set match attacks predefined-attack-group “HTTP - Critical” - Specify an action for the rule.[edit security idp idp-policy base-policy rulebase-ips R1]user@host# set then action mark-diffserv 50
- Continue to specify any notification or logging options for the rule, if required.
- Activate the policy. [edit]user@host# set security idp active-policy base-policy
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify that the DSCP values were configured in an IDP policy.
Action
From operational mode, enter the show security idp status command.
Related Documentation
- J Series
- Example: Enabling IDP in a Security Policy
- Example: Defining Rules for an IDP IPS Rulebase
- SRX Series
- Understanding DSCP Rules in IDP Policies
- Example: Enabling IDP in a Security Policy
- Example: Defining Rules for an IDP IPS Rulebase
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices


